Amendment To ANATEL's Cybersecurity Regulations - Incident Notification And Prior Evaluation Of Suppliers

The National Telecommunications Agency (ANATEL) published Resolution No. 767 of August 2024 (the "Resolution"), which amended Resolution No. 740 of 2020, also known as the Cybersecurity Regulation Applied to the Telecommunications Sector ("R-Ciber"). The amendments to the Resolution will come into force on September 2, 2024, by which time the internal policies of telecommunication service providers must have been modified.

With regard to aspects of information security and data protection, the Resolution essentially changed two points:

1. Extension of the obligation to notify ANATEL of information security incidents

R-Ciber created an obligation to notify ANATEL of relevant incidents that substantially affect the security of telecommunications networks and user data. R-Ciber's specific definition of an "incident" includes an event that allows, or may allow, a breach of the confidentiality, availability, or integrity of protected information, or an event which involves a critical information asset or critical activity for a period of time shorter than the recovery target time.

The Resolution extends this obligation, now requiring telecommunications service providers, regardless of size, to notify ANATEL of incidents that must also be notified to the Brazilian Data Protection Authority (ANPD). It should be noted that no effective prior notification to the ANPD is required – if the Brazilian General Data Protection Law (LGPD)'s incident notification trigger detailed below is met, ANATEL must be notified.
The trigger for notification to the ANPD is provided for in Article 48 of the LGPD and applies to any incident that may cause relevant risk or damage to data subjects. The ANPD considers an incident to be any confirmed, adverse event that could affect confidentiality, integrity, availability and/or authenticity of personal data.¹ In other words, the notification triggers for ANATEL are more restricted and specific than under the LGPD. Therefore, incidents that would previously only trigger notification to the ANPD will now also have require notification to ANATEL.

2. Expansion of the cybersecurity requirements of suppliers to be assessed by telecommunications service providers

As part of the supplier evaluation process, Article 7 of R-Ciber already required suppliers to carry out periodic independent audits and a compliance assessment of their cybersecurity policies – ensuring alignment with the principles and guidelines of R-Ciber. This evaluation process must be documented and presented to ANATEL upon request.

The Resolution deepened this obligation with regard to data processing and storage and cloud computing service providers, mirroring regulations in place for other Brazilian entities, such as the Central Bank of Brazil.² requirements, such as the controls adopted by third parties to mitigate risks, should be assessed, covering critical network functions and the processing of personal data. In short, telecommunications service providers must assess the compliance of these third parties with the LGPD and ANPD.

Footnotes

¹ Art. 3 of Resolution CD/ANPD no. 15, of April 24, 2024.

² CMN Resolution No. 4,893 of February 26, 2021 and BCB Resolution No. 85 of April 8, 2021.

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.